Introduction to Cryptography. Lecture 8

Transcription

1 Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1

2 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication modulo a composite number N (G, ) = ({a s.t. 1 a N-1 and gcd(a,n)=1}, ) E.g., Z 10* = ( {1,3,7,9}, ) page 2 2

3 Cyclic Groups Exponentiation is repeated application of a 3 = a a a. a 0 = 1. a -x = (a -1 ) x A group G is cyclic if there exists a generator g, s.t. a G, i s.t. g i =a. I.e., G= <g> = {1, g, g 2, g 3, } For example Z 7 * = <3> = {1,3,2,6,4,5} Not all a G are generators of G, but they all generate a subgroup of G. E.g. 2 is not a generator of Z 7 * The order of a group element a is the smallest j>0 s.t. a j =1 Lagrange s theorem for x Z p*, ord(x) p-1. page 3 3

4 Computing in Z p * P is a huge prime (1024 bits) Easy tasks (measured in bit operations): Adding in O(log p) (namely, linear n the length of p) Multiplying in O(log 2 p) (and even in O(log 1.7 p) ) Inverting (a to a -1 ) in O(log 2 p) Exponentiations: x r mod p in O(log r log 2 p), using repeated squaring page 4 4

5 Euler s phi function Lagrange s Theorem: a in a finite group G, a G =1. Euler s phi function (aka, Euler s totient function), φ(n) = number of elements in Z * n φ(p) = p-1 for a prime p. n= i=1..k p e(i) i φ(n) = n i=1..k (1-1/p i ) φ(p 2 ) = p(p-1) for a prime p. n=p q φ(n) =(p-1)(q-1) (i.e. {x gcd(x,n)=1, 1 x n} Corollary: For Z n* (n=p q), Z n* = φ(n) =(p-1)(q-1). a Z n* it holds that a φ(n) =1 mod n For Z p* (prime p), a p-1 =1 mod p (Fermat s theorem). For Z n* (n=p q), a (p-1)(q-1) =1 mod n page 5 5

6 Finding prime numbers page 6 6

7 Finding prime numbers Prime number theorem: #{primes x} x / lnx as x How can we find a random k-bit prime? Choose x at random in {2 k,,2 k+1-1} (How many numbers in that range are prime? About 2 k+1 / ln2 k+1-2 k / ln2 k numbers, i.e. a 1/ ln(2 k ) fraction.) Test if x is prime (more on this later in the course) The probability of success is 1/ln(2 k ) = O(1/k). The expected number of trials is O(k). page 7 7

8 Finding generators How can we find a generator of Z p*? Pick a random number a [1,p-1], check if is a generator Naively, check whether 1 i p-2 a i 1 But we know that if a i =1 mod p then i p-1. Therefore need to check only i for which i p-1. Easy if we know the factorization of (p-1). In that case For all a Z p*, the order of a divides (p-1) For every integer divisor b of (p-1), check if a b =1 mod p. If none of these checks succeeds, then a is a generator, since a is a generator iff ord(a)=p-1. page 8 8

9 Finding prime numbers of the right form How can we know the factorization of p-1? Easy, for example, if p=2q+1, and q is prime. How can we find a k-bit prime of this form? 1. Search for a prime number q of length k-1 bits. (Will be successful after about O(k) attempts.) 2. Check if 2q+1 is prime (we will see how to do this later in the course). 3. If not, go to step 1. page 9 9

10 Hard problems in cyclic groups A hard problem can be useful for constructing cryptographic systems, if we can show that breaking the system is equivalent to solving this problem. page 10 10

11 The Discrete Logarithm Let G be a cyclic group of order q, with a generator g. h G, x [1,,q], such that g x =h. This x is called the discrete logarithm of h to the base g. log g h = x. log g 1 = 0, and log g (h 1 h 2 ) = log g (h 1 )+ log g (h 2 ) mod q. page 11 11

12 The Discrete Logarithm Problem and Assumption The discrete log problem Choose G,g at random (from a certain family G of groups), where G is a cyclic group and g is a generator Choose a random element h G Give the adversary the input (G, G,g,h) The adversary succeeds if it outputs log g h The discrete log assumption There exists a family G of groups for which the discrete log problem is hard Namely, the adversary has negligible success probability. page 12 12

13 Cyclic groups of prime order (The order of a group G is the number of elements in the group) Z p * has order p-1 (and p-1 is even and therefore nonprime). We will need to work in groups of prime order. If p=2q+1, and q is prime, then Z p * has a subgroup of order q (namely, a subgroup of prime order). page 13 13

14 Hard problems in cyclic groups of prime order The following problems are believed to be hard in subgroups of prime order of Z p * (if the subgroup is large enough) The discrete log problem The Diffie-Hellman problem: The input contains g and x,y G, such that x=g a and y=g b (where a,b where chosen at random). The task is to find z=g a b. The Decisional Diffie-Hellman problem: The input contains x,y G, such that x=g a and y=g b (and a,b were chosen at random); and a pair (z,z ) where one of (z,z ) is g a b and the other is g c (for a random c). The task is to tell which of (z,z ) is g a b. Solving DDH solving DH solving DL All believed to be hard if the size of the subgroup > page 14 14

15 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating and distributing k. k Alice k Bob page 15 15

16 Diffie and Hellman: New Directions in Cryptography, We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science. page 16 16

17 Diffie-Hellman Came up with the idea of public key cryptography public key Bob Alice Bob secret key Bob Everyone can learn Bob s public key and encrypt messages to Bob. Only Bob knows the decryption key and can decrypt. Key distribution is greatly simplified. Diffie and Hellman did not have an implementation for a public key encryption system Suggested a method for key exchange over insecure communication lines, that is still in use today. page 17 17

18 Public Key-Exchange Goal: Two parties who do not share any secret information, perform a protocol and derive the same shared key. No eavesdropper can obtain the new shared key (if it has limited computational resources). The parties can therefore safely use the key as an encryption key. page 18 18

19 The Diffie-Hellman Key Exchange Protocol Public parameters: a group where the DDH assumption holds. For example, a subgroup H Z p * (where p = 768 or 1024, p=2q+1) of order q, and a generator g of H Z p *. Alice: picks a random a [1,q]. Sends g a mod p to Bob. Computes k=(g b ) a mod p Bob: picks a random b [1,q]. Sends g b mod p to Bob. Computes k=(g a ) b mod p K = g ab is used as a shared key between Alice and Bob. DDH assumption K is indistinguishable from a random key page 19 19

20 Diffie-Hellman: security A (passive) adversary Knows Z p*, g Sees g a, g b Wants to compute g ab, or at least learn something about it Recall the Decisional Diffie-Hellman problem: Given random x,y Z p*, such that x=g a and y=g b ; and a pair (g ab,g c ) (in random order, for a random c), it is hard to tell which is g ab. An adversary that distinguishes the key g ab generated in a DH key exchange from random, can also break the DDH. Note: it is insufficient to require that the adversary cannot compute g ab. page 20 20

21 Diffie-Hellman key exchange: usage The DH key exchange can be used in any group in which the Decisional Diffie-Hellman (DDH) assumption is believed to hold. Currently, Z p * and elliptic curve groups. Common usage: Overhead: 1-2 exponentiations Usually, A DH key exchange for generating a master key Master key used to encrypt session keys Session key is used to encrypt traffic with a symmetric cryptosystem page 21 21

22 Why don t we implement Diffie-Hellman in Zp* (but rather in a subgroup H Zp*, for p=2q+1, of order q, and a generator g of H Zp*). For the system to be secure, we need that the DDH assumption holds. This assumption does not hold in Zp* (see discussion below) page 22 22

23 Quadratic Residues The square root of x Z p* is y Z p * s.t. y 2 =x mod p. Examples: sqrt(2) mod 7 = 3, sqrt(3) mod 7 doesn t exist. How many square roots does x Z p* have? If a and b are square roots of x, then x=a 2 =b 2 mod p. Therefore for any two square roots of any number x it holds that (a-b)(a+b)=0 mod p. Therefore either a=b or a= -b modulo p. Therefore x has either 2 or 0 square roots, and is denoted as a Quadratic Residue (QR) or Non Quadratic Residue (NQR), respectively. There are exactly (p-1)/2 QRs. page 23 23

24 Quadratic Residues x (p-1)/2 is either 1 or -1 in Z * p (since (x (p-1)/2 ) 2 is always 1). Euler s theorem: x Z p* is a QR iff x (p-1)/2 = 1 mod p. Legendre s symbol: x p 1 = 1 0 x is a QR in Z x is an NQR in Z x= 0 mod Legendre s symbol can be efficiently computed as x (p-1)/2 mod p. Another way to look at this: let g be a generator of Z p*. Then every x can be written as x=g i mod p. It holds that x is a QR iff i is even. The quadratic residues form a subgroup of order (p-1)/2 (=q) p * p * p page 24 24

25 Does the DDH assumption hold in Z p*? The DDH assumption does not hold in Z p * Assume that both x=g a and y=g b are QRs in Z p*. Then g ab is also a QR, whereas a random g c is an NQR with probability ½. Solution: (work in a subgroup of prime order) Set p=2q+1, where q is prime. φ(z p* ) = p-1 = 2q. Therefore Z p * has a subgroup H of prime order q. Let g be a generator of H (for example, g is a QR in Z p* ). The DDH assumption is believed to hold in H. (The Legendre symbol is always 1.) page 25 25

26 An active attack against the Diffie-Hellman Key Exchange Protocol An active adversary Eve. Can read and change the communication between Alice and Bob. As if Alice and Bob communicate via Eve. Alice Eve Bob page 26 26

27 Man in-the-middle: an active attack against the Diffie-Hellman Key Exchange protocol Alice: picks a random a [1,q]. Sends g a mod p to Bob. Bob: Eve changes g a to g c Computes k=(g d ) a mod p Eve changes g b to g d Keys: Alice Eve Bob g ad g ad, g bc g bc picks a random b [1,q]. Sends g b mod p to Alice. Computes k=(g c ) b mod p Solution:? (wireless usb) page 27 27

28 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing PK Alice can encrypt messages using it. Message decryption is possible only if SK Alice is known. Compared to symmetric encryption: Easier key management: n users need n keys, rather than O(n 2 ) keys, to communicate securely. Compared to Diffie-Hellman key agreement: No need for an interactive key agreement protocol. (Think about sending ) Secure as long as we can trust the association of keys with users. page 28 28

29 Public key encryption Must have different keys for encryption and decryption. Public key encryption cannot provide perfect secrecy: Suppose E pk () is an algorithm that encrypts m=0/1, and uses r random bits in operation. An adversary is given E pk (m). It can compare it to all possible 2 r encryptions of 0 Efficiency is the main drawback of public key encryption. page 29 29

30 Defining a public key encryption The definition must include the following algorithms; Key generation: KeyGen(1 k ) (PK,SK) (where k is a security parameter, e.g. k=1000). Encryption: C = E PK (m) algorithm) (E might be a randomized Decryption: M= D SK (C) page 30 30

31 The El Gamal public key encryption system Public information (can be common to different public keys): A group in which the DDH assumption holds. Usually start with a prime p=2q+1, and use H Z p* of order q. Define a generator g of H. Key generation: pick a random private key a in [1, H ] (e.g. 0<a<q). Define the public key h=g a (h=g a mod p). Encryption of a message m H Z p * Pick a random 0 < r < q. The ciphertext is (g r, h r m). Decryption of (s,t) Compute t /s a (m= h r m / (g r ) a ) Using public key alone Using private key page 31 31

32 El Gamal and Diffie-Hellman ElGamal encryption is similar to DH key exchange DH key exchange: Adversary sees g a, g b. Cannot distinguish the key g ab from random. El Gamal: A fixed public key g a. Sender picks a random g r. Sender encrypts message using g ar. Known to the adversary Used as a key El Gamal is like DH where The same g a is used for all communication There is no need to explicitly send this g a (it is already known as the public key of Alice) page 32 32

33 The El Gamal public key encryption system Setting the public information A large prime p, and a generator g of H Z p* of order q. p = 756 or 1024 bits. p-1 must have a large prime factor (e.g. p=2q+1) Otherwise it is easy to solve discrete logs in Z p * (relevant also to DH key agreement) Needed for the DDH assumption to hold (Legendre s symbol) g must be a generator of a large subgroup of Z p*. page 33 33

34 The El Gamal public key encryption system Encoding the message: m must be in the subgroup H generated by g. If p=2q+1, and H is the subgroup of quadratic residues, we can map each message m {1,,(p-1)/2} to the value m 2 mod p, which is in H. Alternatively, encrypt m using (g r, H(h r ) m). Decryption is done by computing H( (g r ) a ). (H is a hash function that preserves the pseudo-randomness of h r.) page 34 34

35 The El Gamal public key encryption system Overhead: Encryption: two exponentiations; preprocessing possible. Decryption: one exponentiation. message expansion: m (g r, h r m). Randomized encryption Must use fresh randomness r for every message. Two different encryptions of the same message are different! (provides semantic security) page 35 35